Il giorno ven 14 gen 2022 alle ore 09:45 Martin Perina <[email protected]> ha scritto:
> > > On Thu, Jan 13, 2022 at 4:53 PM Sandro Bonazzola <[email protected]> > wrote: > >> >> >> Il giorno gio 13 gen 2022 alle ore 15:34 Konstantin Shalygin < >> [email protected]> ha scritto: >> >>> > It's possible to get, may be from Postgres, the host certificate date? >>> > Engine run this check sometimes, but trigger this check seems >>> impossible >>> >>> Anybody? >>> @Sandro please help >>> >>> engine make check once per day and print to logs >>> How can we run a manual check or see info in PostgreSQL database? This >>> is required because the days until the end of the certificate's life >>> expire, waiting for the next day in order to understand the result of >>> deploying a new certificate is a strange situation >>> >> >> Maybe @Martin Perina <[email protected]> can assist? >> >> Hi, > > host certificates are not saved anywhere in the engine database, you need > to go to the host itself to find out the expiration date. There are 2 > options: > > 1. Directly on the host after connecting via SSH you can run below > # openssl x509 -text -noout -in /etc/pki/vdsm/certs/vdsmcert.pem | > grep -A2 Validity > > 2. Remotely using openssl you can run below > # openssl s_client -showcerts -connect <HOST FQDN>:54321 | openssl > x509 -text -noout | grep -A2 Validity > > > ovirt-engine performs certificate checks every day (can be configured > using engine-config option CertificationValidityCheckTimeInHours) and it > checks not only hosts certificates, but also the engine certificate and the > engine CA certificate. This check produces following records in > ovirt-engine audit log: > > 1. If the certificate has already expired then below audit log ALERT is > created depending on the type of certificate > - *Host ${VdsName} certification has expired at ${ExpirationDate}. > Please renew the host's certification.* > - *Engine's certification has expired at ${ExpirationDate}. Please > renew the engine's certification.* > - *Engine's CA certification has expired at ${ExpirationDate}.* > > 2. If the certificate is going to expire in less than 7 days, then below > audit log ALERT is created depending on the type of certificate > - *Host ${VdsName} certification is about to expire at > ${ExpirationDate}. Please renew the host's certification.* > - *Engine's certification is about to expire at ${ExpirationDate}. > Please renew the engine's certification.* > - *Engine's CA certification is about to expire at ${ExpirationDate}.* > > 3. If the certificate is going to expire in less than 30 days, then below > audit log WARNING is created depending on the type of certificate > - *Host ${VdsName} certification is about to expire at > ${ExpirationDate}. Please renew the host's certification.* > - *Engine's certification is about to expire at ${ExpirationDate}. > Please renew the engine's certification.* > - *Engine's CA certification is about to expire at ${ExpirationDate}.* > > Regards, > Martin > Martin, is this something which can fit in oVirt administration documentation? Konstantin, what's the purpose of getting the certificate's dates? > > >> >>> >>> >>> Thanks, >>> k >>> _______________________________________________ >>> Users mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] >>> Privacy Statement: https://www.ovirt.org/privacy-policy.html >>> oVirt Code of Conduct: >>> https://www.ovirt.org/community/about/community-guidelines/ >>> List Archives: >>> https://lists.ovirt.org/archives/list/[email protected]/message/3WK5CJYL3PXXCJJQKLEQCQJG5X2YA3XV/ >>> >> >> >> -- >> >> Sandro Bonazzola >> >> MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV >> >> Red Hat EMEA <https://www.redhat.com/> >> >> [email protected] >> <https://www.redhat.com/> >> >> *Red Hat respects your work life balance. Therefore there is no need to >> answer this email out of your office hours.* >> >> >> > > -- > Martin Perina > Manager, Software Engineering > Red Hat Czech s.r.o. > -- Sandro Bonazzola MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV Red Hat EMEA <https://www.redhat.com/> [email protected] <https://www.redhat.com/> *Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.*
_______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/TNDGLSSRRCD64RPKCBQBSRR7ZCSXESYL/
